Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [day] [month] [year] [list]
Date: Mon, 23 Jul 2018 21:03:52 +0100
From: Jonathan Gallimore <jgallimore@...che.org>
To: oss-security@...ts.openwall.com
Subject: CVE-2018-8031 Apache TomEE Webapp XSS

CVE-2018-8031 Apache TomEE Webapp XSS

Severity: Low

Vendor: The Apache Software Foundation

Description:
The TomEE console (tomee-webapp) has a XSS vulnerability which could allow
javascript to be executed if the user is given a malicious URL. This web
application is typically used to add TomEE features to a Tomcat
installation. The TomEE bundles do not ship with this application included.

Mitigation:
This issue can be mitigated by removing the application after TomEE is
setup (if using the application to install TomEE), using one of the
provided pre-configured bundles, or by upgrading to TomEE 7.0.5.

This issue is resolve in this commit: b8bbf50c23ce97dd64f3a5d77f78f8
4e47579863

Credit: Many thanks to Man Yue Mo from Semmle for reporting this issue.

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ